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A FLEXIBLE WLAN ACCESS POINT ARCHITECTURE CAPABLE 
OF ACCOMMODATING DIFFERENT USER DEVICES 



RELATED APPLICATION 

This application claims the benefit of U.S. Provisional Application No. 60/454.558, 
filed March 4, 2003, and is incorporated herein by reference. 

1. Field of the invention 

The invention provides an apparatus and a method controlling access by a user 
terminal to a communications network, and in particular, an apparatus and a method for 
controlling access by a mobile terminal to a WLAN by accommodating for each mobile 
terminal its particular capabilities and selecting accordingly, the optimum available 
authentication mechanism. 

2. Description of Related Art 

The context of the present invention is the family of wireless local area networks or 
(WLAN) employing the IEEE 802. Ix architecture having an access point that provides access 
for mobile devices and to other networks, such as hard d wired local area and global networks, 
such as the Internet. Advancements in WLAN technology have resulted in the pubUcly 
accessible at rest stops, cafes, Ubraries and similar public facilities ("hot spots"). Presently, 
public WLANs offer mobile communication device users access to a private data network, 
such as a corporate intranet, or a public data network such as the Internet, peer-to-peer 
communication and live wueless TV broadcasting. The relatively low cost to implement and 
operate a pubUc WLAN, as well as the available high bandwidth (usually in excess of 10 
Megabits/second) makes the public WLAN an ideal access mechanism through which mobile 
wireless communications device users can exchange packets with an external entity, however 
as will be discussed below, such open deployment may compromise security unless adequate 
means for identification and authentication exists. 

When a user operating a terminal incorporating the IEEE 802. Ix protocol ("client 
terminal" or simply "IEEE 802. Ix client") attempts to access a public WLAN at a hot spot, 
the IEEE 802. Ix client terminal would begin the authentication process according to its 
current machine configuration. After authentication, the public WLAN opens a secure data 
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Channel to the mobUe communications device to protect the privacy of dat* passing between 
the WLAN and the device. Presently, many manufacturers of WLAN equipment have adopted 
the IEEE 802.1X protocol for deployed equipment. However, other devices utilizmg WLAN 
may use other protocols such as may be provided by wired electronic privacy (WEP). 
Notably, the predominant authentication mechanism for WLAN utilizes the IEEE 802 Ix 
protocol. Unfortunately, the IEEE 802.1x protocol was designed with private LAN access as 
Its usage model. Hence, the IEEE 802. Ix protocol does not provide certain convenient 
features necessary m a public WLAN environment. A further problem with the cunent 
predominant standard is that it requires IEEE 802. Ix protocol client software installation and 
configuration. In addition, the IEEE 802.1x protocol does not have a sophisticated mechanism 
for mteractmg with the user. The access pomt can only send simple messages to the client via 
electronic access point (EAP) notification. This may be sufficient for an enterprise setting but 
m a hot spot the access point might require that the user accept an end user license before 
permitting access. In some mstances, the access point needs to inform the user about service 
charges. One solution would be to provide the access point the capability to mteract with the 
users via the web browser interface. 

Most existing WLAN hot spot wireless providers use a web browser based solution for 
user authentication and access control offering convenience to the user that does not require 
any software download on the user device. As illustrated in Figure 1. the relationships among 
pnmary entities typically involved in an autiientication in apublic WLAN environment are a 
mobile terminal (MT), a WLAN access point (AP). a local server and an authentication server 
(AS). In the web based solution, the user is securely authenticated through HTTPS by die AS 
which in turn notifies the AP to grant access to the MT. The WLAN operator may own such ' 
an authorization server or any third party providers, such as Independent Service Providers 
(ISPs), pre-paid card providers or cellular operators, referred to more broadly as virtual 
operators. A public WLAN hot spot, therefore, should accommodate such different client and 
operator capabilities, based on which, the WLAN should have the abiUty to select different 
autiientication mechanisms. The prior art has not sufficientiy addressed means tiiat would 
provide such capabihties. however, the invention described herein, prx>vides a novel solution 
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SUMMARY OF THE INVENTION 

What is desired is an apparatus and a method for improving the security, or control of 
access by a user terminal, to a communications network, in particular the control of access by 
a mobile terminal to a wireless local area network. 

The invention provides a method for controUing the access by a terminal device by 
determining the type of authentication protocol associated with the tenninal device and 
automatically routing the authentication request to the ^propriate authentication server. 
Specifically, the invention herem provides a method for controllmg the access of a tenninal 
device in a WLAN environment by determining whether a terminal device utilizes an IEEE 
802.1X protocol, comprising the steps of an access point communicating to the mobile 
terminal a request to identify, and if the mobile terminal utilizes an IEEE 802.1x protocol 
acknowledging the request to identify, otherwise the access point determines that the mobile 
terminal does not employ a IEEE 802. Ix protocol and therefore selects an autiientication 
mechanism compatible with the mobile terminal. 

If the terminal device is not IEEE 802. Ix compliant the access point initiates a state in 
the access point fliat indicates tiie terminal is a non-IEEE 802. Ix protocol and configures an 
IP packet filter and redirects a user HTTP request to a local server. The process of tiie present 
invention may also communicate from the local server to the tenninal device information 
specificaUy related to a browser-based autiientication. If tiie device utiUzes tiie IEEE 802.1x 
protocol, tiie access point transitions to a state fliat indicates fliat tiie mobUe tenninal is IEEE 
802.1X compUant and tiiereafter processes all further communication utilizing flie IEEE 
802.1X protocol. In tiie event tiiat tiie autiientication process fails, flien one embodiment of tiie 
present invention initiates in tiie access pomt, a failure condition. 



One embodiment of flie invention for improving tiie security of a tenninal device 
WLAN envkonment utilizes tiie access point for detennining whether tiie device utiUzes 
IEEE 802. Ix protocol, by having the access point communicate to tiie tenninal device a 
Request-Identity EAP packet, whereby if tiie devices utilizes a IEEE 802.1x protocol tiie 
device responds witii a Response-Identity EAP packet and otiierwise the access point 
detennines tiiat tiie mobile tenninal protocol does not employ a IEEE 802. Ix protocol (e.g. 
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based on timeout) and selects an authentication mechanism compatible with the mobile 
teiminal. 



The invention for improving the security of a terminal device in a WLAN environment 
also includes an apparatus comprised of an access point in communication with a terminal 
device in a WLAN environment utilizing a means to detemiine whether the terminal device 
utilizes an IEEE 802. Ix protocol and if the terminal does not utilize said protocol then the 
access point employs an authentication means compatible with the terminal device otherwise 
the access point employs an IEEE 802.1x protocol. The access point means to determine 
includes communicating to the terminal device a Request-Identity EAP packet and if the 
mobile terminal utilizes the IEEE 802. Ix protocol the access i^eives a Response-Identity 
EAP packet. The access point further comprises the means to configure an IP packet filtering 
to redirect the device HTTP request to a local server if the terminal device does not utilize 
said protocol. 

In a further embodiment of the apparatus, the access point includes a means to 
communicate IEEE 802. Ix protocol exchanges and means to establish IP packet filtering 
through an IP filter module and state information for the HTTP server to control the terminal 
device access during and after IEEE 802.1x based authentication process if the access point 
detects that the terminal device is an IEEE 802. Ix client. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is best understood from the following detailed description when read in 
connection with the accompanying drawing. The various features of the drawings ar& not 
specified exhaustively. On the contrary, the various features may be arbitrarily expanded or 
reduced for clarity. Included in the drawing are the following figures: 

FIG. I is a block diagram of a communications system for practicing the method of the 
present invention for improving the security of a terminal device in a WLAN environment. 

FIG. 2 is a flow diagram of the method of the authentication sequence of present invention. 
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FIG. 3 is a flow diagram of the method of the present invention illustrating an authentication 
failure. 



FIG. 4 is a block diagram of an apparatus for implementing the present invention. 
DETAILED DESCRIPTION OF THE INVENTION 

m the figures to be discussed the circuits and associated blocks and arrows represent 
tunctions of the process according to the present invention, which may be implemented as 
electncal circuits and associated wires or data busses, that transport electrical signals. 
Alternatively, one or more associated arrows may represent communication (e.g., data flow) 
between software routines, particularly when the present method or apparatus of the present 
mvention is implemented as a digital process. 

In accordance with FIG. 1, one or more mobile terminals represented by 140, through 
140„ communicate through an access point (AP) through 130„. local computer 120 in 
association with firewalls 122 and one or more virtual operators 150,.„, such as authentication 
server 150. Commmiication firom terminals 140,.„ typically require accessing a secured data 
base or other resources, utilizing the Internet 1 10 and associated communication paths 154 
and 152 that require a high degree of security from unauthorized entities, such as would be 
hackers. 

As further illustrated in FIG. 1. the WLAN architecture encompasses several 
components and services that interact to provide station mobility transparent to the higher 
layers of a network stack. The AP stations such as access points 130,.„ and mobile tenninals 
140,.„ as the components connect to the wireless medium and typicaUy contain the 
functionality of the IEEE 802.1x protocols, that being MAC (Medium Access Control) 134, 
and coirespondmg PHY (Physical Layer) (unshown). and a comiection 127 to the wireless 
media. Communication functions and protocols are implemented in the hardware and software 
of a wkeless modem or a network access or interface card. This invention proposes a method 
for unplementing a means in the communication stream such that an access point 130n 
improves the security of a tenninal device in a WLAN environment 1 15 whether the device 
utilizes an IEEE 802.1x protocol or not and remain within the compatibility requirements of a 
IEEE 802.1X WLAN MAC layers for downlink traffic (e.g. from the an authentication server 
150 to the mobile terminal 140« such as a laptop) as each may participate in the authentication 
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ot one or more wireless mobile devices 140i „ a local server i on <.r,^ » • , 

I'^wi.n,, a xocai server 120 and a virtual operator such 

as the authentication server 150. 

In accordance with the present principles of the invention, an access 160 enables each 
mobile tenninals 140,., to securely access a WLAN 1 15 by authenticating the mobile 
terminal 140,.„ as well as its commmxication stream in accordance with the IEEE 802 Ix 
protocol or other optional protocol as the specific tenninal 140i. may choose. THe manner in 
which the access 160 enables such secure access can best be understood by reference to FIG 
2, which depicts the sequence of interactions that occurs amon^ a mnWi. «„v.,.o. 
communication device, say mobile terminal 140, the public WLAN 1 15. Authentication 
server 150„. When configured with the IEEE 802.1 x protocols, the access point 130„ of FIG 
1 maintains a controlled port and an m,-controlIed port, through which the access point 
exchanges infonnation. with the mobile tenninals 140„. The controlled port maintained by the 
access pomt 130„ serves as the entryway for non-authentication infonnation. such as data 
traffic, to pass through the access point between the WLAN 1 15 and the mobile terminals 
140„. Ordinarily, the access point 130.„ keeps the respective controlled port closed in 
accordance with the IEEE 802.1x protocol until authentication of the mobUe wireless 
communications device. The access points 130„ always maintains tiie respective uncontroUed 
port open to permit the mobile termmals 140„ to exchange authentication data wifli tiie local 
survey or virtual server 15%. 

With reference to FIG. 2. a further embodiment of the present invention is tiie 
utihzation of tiie access point 130„ to create several operational states. Following an EAP 
Response-Identity packet 220 a state lx_progress 340 indicates that tiie mobile terminal 140„ 
IS an IEEE 802.1x client and tiie 802.1x autiientication process is ongomg. Such means to 
select from one or more available security protocols is weU known by tiiose skilled in tiie art 
of programming and engineering in a WLAN environment The 802. IX engine 325 is 
tiierefore responsible for client detection and providing tiie cUent capabiUty infonnation to 
oflier modules of tiie system. In addition it also implements RADIUS client functionality to 
convert EAP messages to RADIUS messages, forwarding such messages in tiie fonn of an 
radius access request 230 and responding to radius access reject messages 240. The packet 
fUter module 330 is responsible for filtering packets based on tiie criteria set by ottier 
modules. The mefliod utilized by tiie access point to determines tiiat tiie tenninal is not IEEE 



10 



15 



20 



25 



WO 2004/084464 

PCT/US2004/007805 

r^T"!?*""' ^ ~li.hed toe, ^ „ 

the EAP request identity response packet. 

Mo« particularly, m 3 mustrates » embodiment of th. ™ett,od Of fte present 
mventron wherein the access point 1 3% detects that are moWie t«nynal UO, is „o. an 

authe„Uca.ed,EBE,02.xc,ient..ndtedi.ec.sc,ient335.o«,erehyco„fi,^^^^ 

^.cet«.ern.«.„,e330aredi^ttotheHrn.setveri20viaaweh.e,urredirec.3^^^ 

AI.emafvely,moMe.em,inall40,maysendadi,«tweb».~=. I,.. 

"d-cted by the pacl«t filter module 330 u.^wrTP server 120. The HTTP server 120 
responds with infonnation 350 speciflc^y .elated to .he browser based auth«,tica.ion. 
I" *^ case Where the access point 13<^ detects that .he terminal device is an IEEE 

Z„rr'' " '^'^ """"^ ™ "-'•-icaao, exchanges to p^ceed 

through the access point 13ft. and sets up appropriate pacta, filtering fcou^ „. ^ 

module 330 and state infonnaSon for the HTTP serve, 1 . , ! *^ 

■or me ni tr server 120 to control the mobUe terminal 140 

useraccessduringandafterIEBB802.UbasedauftenticaU„„p.ocess. 

Ute syst^ ^ ' " ■"'^-ta proper state information for 

*e sy^ o ftmcon properly. Such s,ate i„,„rma.ion wiU be provided by the access point 

and the HTTP server 120. Witti reference tn m<- ^ * . ■<^on.3JU 
. . ^ '"FIG- 3. "ftMher embodiment of are present 

mventron ,s .he uUli^ion of .he access point 130. 802. 1 x engine to c«ate several 

operaUonaIs.ates.FollowingaResponse.Me„UtyEAPpacket220asUUe Ix progress 340 

™^es*a..hemobi,e.ermina,.4<,isar.XBBE802..xciie„tandthe802.UauLti^^ 
p.oc«s ,s ongomg. FoUowmg a Respons^Menaty BAP packet 220 a state Ix fiuiure 350 
would mdrcate d,a. Ure 802.1x authenticatton pr^s *Uled for one of more r^sons no 
pert.nen.te, the invention herein. FoUowmg a Response.Idena.y BAP packe, 220 a s.ate 
norulx 360 would indicate that the mobile termmal 140. is a non-IEEE 802. Ix client 
B«:a^ for such a cHen, all access controls are done a, the higher layers, no fUrUrer ' 
Classification of state is necessary. 
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802. IX engine 325 is therefore responsible for client detection and providing the client 
capability information to other modules of the system, m addition it also implements 
RADIUS client fnnctionality to convert EAP messages to RADIUS messages. The packet 
filter module 330 is responsible for filtering packets based on the criteria set by other 
modules. 



Referring to FIG. 4 is an apparatus of the present the invention for improving tiie 
security of the terminal device 140„ in flxe WLAN 115 enviromnent. The access point 130„ 
rrxaintains communication with the tenninal device 140„ terminal device and utilizes a means 
415 to determine whether the terminal device 140„ utilizes an EEE 802.1x protocol and if the 
terminal 140„ does not utilize said protocol then the access point 130. employs an 
authentication means 420 compatible witii the terminal device 140„ otherwise the access point 
employs an IEEE 802.1x protocol utilizing means 425. The access point 130„ means to 
determine includes commmiicating to the terminal device 140„ a Request-Identity EAP packet 
and if flie mobile terminal 140„ utilizes the IEEE 802. Ix protocol flie access point 130„ 
receives a Response-Identity EAP packet. The access point 130„ further comprises tiie means 
430 to configure an IP packet filtering to redirect through means 435 the device HTTP request 
to a local server if the terminal device 140„ does not utilize the protocol. In the event the IEEE 
802.1X protocol is utilized then the means 425 utilizes means 440 to insure that the 
communication is not redirected. 

In a further embodiment of tiie apparatus, the access point includes a means to 
communicate IEEE 802. Ix protocol exchanges and means to establish IP packet filtering 
through an IP filter module and state mformation for the HTTP server to control the terminal 
device access during and after IEEE 802.1x based authentication process if the access point 
detects that tiie terminal device is an IEEE 802.1x client. 



It is to be understood tiiat flie fonn of this invention as shown is merely a preferred 
embodiment Various changes may be made in the function and arrangement of parts; 
equivalent means may be substituted for those illustrated and described; and certain features 
may be used independently from ofliers witiiout departing from tiie spirit and scope of tiie 
invention as defined in tiie folloaj pg claims. 



